Detection of Timestamps Tampering in NTFS using Machine Learning

Abstract

During a digital investigation, the recorded time of activity on the system is crucial for solving the case. But file times may be subject to user manipulation for deceptive reasons. Detecting such timestamps change, in a none-automatic way, will come to finding a needle in a haystack. Many ways can lead to timestamps manipulation: the presence of anti-forensics tools, unusual timestamp differences in the volume shadow copies, the system restore points and the filesystem metadata, inconsistencies in the filesystem timestamps or with the established rules of normal time behavior, timeline analysis, etc. However, while reviewing the literature, we found little use of the capabilities of machine learning algorithms in such detection. In this paper, a machine learning approach for the automatic detection of timestamps tampering is proposed to reduce the required manual search for such manipulation. Put differently, the approach predicts a classification of input files in whether they have been timestamp tampered or not. Furthermore, the process of a synthetic dataset collection, features engineering and extraction, dataset manipulation, training, and model evaluation is presented. To recapitulate, the held experiment generates the synthetic dataset from a virtual controlled environment, apply a machine learning algorithm on a subset of the dataset, predict on the other subset of the dataset and present the results using confusion matrix, receiver operating characteristic curves, precision-recall curves, accuracy, and log_loss.